Abstract

Writable XOR eXecutable (W XOR X) and
Address Space Layout Randomisation (ASLR), have
elevated the understanding necessary to perpetrate
buffer overflow exploits [1]. However, they have not
proved to be a panacea [1] [2] [3] and so other
mechanisms such as stack guards and prelinking have
been introduced. In this paper we show that host based
protection still does not offer a complete solution. To
demonstrate, we perform an over the network brute
force return-to-libc attack against a pre-forking
concurrent server to gain remote access to W XOR X and
ASLR. We then demonstrate that deploying a NIDS
with appropriate signatures can detect this attack
efficiently.